The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
The number of attacks on various IT assets of an enterprise has increased tremendously. The rise in attacks has led to creation and adoption of numerous tools to perform IT security vulnerability assessments. Each security vulnerability assessment tool tends to differ from other security vulnerability assessment tools in that each tool provides one or two features that other security vulnerability assessment tools do not provide. Therefore, it is quite common for an enterprise to use a plurality of security vulnerability assessment tools in assessing security vulnerabilities of their IT assets. In addition, many enterprises also hire third party auditors to audit the enterprise's IT assets. In fact, certain industries, such as the financial services healthcare industries, are required to have their IT assets periodically audited by third party IT auditors.
The result of using numerous tools and auditing firms to assess vulnerabilities of IT assets is the generation of large amount of data. Once the tools and the auditing firms produce the vulnerability data, the enterprise's IT security team must use the data to reduce each IT asset's risk of being successfully attacked. Unfortunately, the data generated by the tools and the auditors fail to provide the enterprise's IT security team with the necessary information to efficiently and effectively prioritize their task of reducing security risk to the enterprise's IT assets.
Therefore, more often than not, the enterprise's IT security team spends additional resources and incurs further costs in analyzing the data generated by the security vulnerability assessment tools and IT auditors in order to distinguish between the more critical IT security risks and the less critical ones. Furthermore, due to the inherent inaccuracy and inherent lack of information regarding the likelihood of a successful attack on an IT asset in the generated data, the enterprise's IT security team's further efforts fail to satisfactorily defend against the most likely and potentially successful attacks on the enterprise's IT assets. This problem is further exacerbated as the number of IT assets utilized by an enterprise grows at a rapid pace because the amount of vulnerability data generated by numerous security vulnerability tools and IT auditors would consequently grow at a significantly faster pace.